Prudential Supervision: Cloud Computing
Cloud computing plays a vital role in enabling inclusive Digital Financial Services (DFS) innovation by allowing financial service providers (FSPs) to access scalable, secure, and cost-effective infrastructure from cloud service providers (CSPs), rather than making heavy investments.
While this fosters flexibility and tailored services for underserved consumers, it also introduces complex supervisory challenges. Supervisors must balance the benefits with risks, such as limited access and audit rights, cross-border data issues, lack of interoperability, and systemic risks from market concentration in a few global CSPs.
Emerging regulatory responses, like Europe’s Digital Operational Resilience Act (DORA), aim to bring critical CSPs under financial oversight, but supervisors still face gaps in international standards and must collaborate with ICT authorities, assess local cloud landscapes, consider designating critical providers to strengthen resilience and oversight, and collaborate internationally to oversee large CSPs.
Additional Reading
The following resources were used to compile this interaction. They are included in the interaction, but we are including them here for ease of reference.
- Toronto Centre, 2020, Cloud Computing: Issues for Supervisors, https://www.torontocentre.org/index.php?option=com_content&view=article&id=226&Itemid=99
- Financial Stability Institute, 2023, Managing Cloud Risk, https://www.bis.org/fsi/publ/insights53.pdf
- Bank for International Settlement, 2023, FSI Insights on Policy Implementation No 53: Managing Cloud Risk: Some Considerations for the Oversight of Critical Cloud Service Providers in the Financial Sector, https://www.bis.org/fsi/publ/insights53.pdf
- Bank of Japan, 2021, Key Considerations for Risk Management in Using Cloud Services, https://www.boj.or.jp/en/research/brp/fsr/fsrb210308.htm
- Dias, D., 2020, Cloud Computing: Issues for Supervisors, Toronto Centre, https://www.torontocentre.org/index.php?option=com_content&view=article&id=226&Itemid=99
- European Banking Authority, 2023, ESAs Report on the Landscape of ICT Third-Party Providers in the EU: Overview of the High-Level Exercise, https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-report-landscape-ict-third-party-providers-eu
- European Banking Authority, 2026, Recommendations on Outsourcing to Cloud Service Providers, EBA Activities, https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/recommendations-outsourcing-cloud-service-providers
- European Banking Authority, 2026, Digital Operational Resilience Act [DORA], EBA Activities, https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act
- European Banking Authority, 2026, EU’s Digital Operational Resilience Act (DORA) Road Map, https://tools.eba.europa.eu/interactive-tools/2024/powerbi/dora_visualisation.html
- European Banking Authority, 2024, Draft Regulatory Technical Standards: Final Report, https://www.eba.europa.eu/sites/default/files/2024-01/bf5a2976-1a48-44f3-b5a7-56acd23ba55c/JC%202023%2086%20-%20Final%20report%20on%20draft%20RTS%20on%20ICT%20Risk%20Management%20Framework%20and%20on%20simplified%20ICT%20Risk%20Management%20Framework.pdf
- European Central Bank, 2021, ECB Guide on Outsourcing Cloud Services to Cloud Service Providers, https://www.bankingsupervision.europa.eu/framework/legal-framework/public-consultations/pdf/ssm.pubcon240603_draftguide.en.pdf
- Financial Stability Board, 2019, Third Party Dependencies in Cloud Services: Considerations on Financial Stability Implications, https://www.fsb.org/uploads/P091219-2.pdf
- Financial Stability Board, 2023, Final Report on Enhancing Third-Party Risk Management and Oversight – A Toolkit for Financial Institutions and Financial Authorities, https://www.fsb.org/2023/12/final-report-on-enhancing-third-party-risk-management-and-oversight-a-toolkit-for-financial-institutions-and-financial-authorities/
- Monetary Authority of Singapore, 2021, Advisory on Addressing the Technology and Cybersecurity Risks Associated with Public Cloud Adoption, https://www.mas.gov.sg/regulation/circulars/advisory-on-addressing-the-technology-and-cyber-security-risks-associated-with-public-cloud-adoption
- Program on International Financial Systems, 2023, Cloud Adoption in the Financial Sector and Concentration Risk, https://www.fsb.org/uploads/PIFS.pdf
Learning Activity
Press Enter to start the interaction. You will earn 1 point for completing this interaction.